[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: PackageKit"update" allows downgrade of packages when using the "zypp
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-02-25 21:24:01
Message-ID: 512BD671.6080509 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/23/2013 12:34 AM, Marcus Meissner wrote:
> Hi,
> 
> On openSUSE we have started to allow local logged in users to install
> online updates (but not install new packages or remove ones), as this
> seems a common and secure operation to us.
> (Also done in light of the Linus Torvalds flame posting.)
> 
> PolicyKit rules in PackageKit also allow this in the vanilla version:
> 	org.freedesktop.packagekit.system-update
> shipping default is "yes" for local logged-in active users.
> 
> 
> So far we assumed that the update operation only allows upgrading versions.
> 
> The enforcement of this rule did not fully work, so at least the "zypp"
> backend of PackageKit allowed downgrade of packages using this call.
> The "update" method also allowed installing non-update resolvables like
> patterns or even new packages.
> 
> We have not checked the other backends, they might also be affected.
> 
> https://bugzilla.novell.com/show_bug.cgi?id=804983
> https://bugs.freedesktop.org/show_bug.cgi?id=61231
> https://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425
> 
> 
> As the default assumed secure behaviour is violated, this requires a CVE.
> 
> Ciao, Marcus
> 

Please use CVE-2013-1764 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRK9ZxAAoJEBYNRVNeJnmTvgUQAMcAT3QN0a6dDWzK+2Y5pJEG
ozK1TrS2/X9k5MatjGm9zfldI3Dodo8cvn++zHIWn21aRNSmUF+v5x+UNKEX/AoC
fOS8kTRSe0D+KvsaHLGmB8ZwxTl5M2kMx82cky015ZDNB77fPpsaZOCMOEmYSNlU
dt85EZkt6845sz+AEo1DaEnpvbxR3koEnA61unQUtVdbNv6xmh9WuPi7pX7vQ6Mb
UqwWFNaGeqEbiygBc6RnGatcb0iqsH3Bv9huXhHhgT+o/oBoZ9yaFka2hbuSHe6p
uOmtXiAKPItpOObUA3fHTOBXwCzF+QO+qzOzHleQotFfJCwkOHphmeDq08tZLwku
zPG7L4fB/OL6MhwxiO2cBfV3MnmwmR3km7Yv/RpQ/g+IL3DL5cerhujWT0Zn7YTU
kk5zE20baS8K4MFEEdApER3QpgNZZfnxCXRkp1gx058cvzdfrx8f9VOusSS2OLbH
+i65gTYzqhwJJVWJaCsagHh05311KkBdBtdvDhh/2GqRTsIxEKvBFZRsi4tQTc0C
twJpP63Poy2OazO76esQRG8vlt2WGggWA+E87HIp/P8s8Msz0Ezd8kJgwpU3LzXW
2Zy4mQA7dS68j2LaFy8n+nUu9EgolrsO7xSMegm1wYAFtFAEjjsemtGucvQhXR52
gIyQM7ZqELbUrWTZ9TnR
=EYRJ
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]